New spy laws to challenge privacy

Should the government be allowed to pry?

In the coming weeks, the government intends to hold public consultations into new laws that will force telecommunications and technology companies to provide access to encrypted communications and devices – or face harsh penalties.

The laws are in response to an ever more integrated digital world, for which encryption is the backbone.

Everything from our phone calls and messaging to browsing and banking, is encrypted for our privacy.

By definition, this makes it unreadable by third parties, including law enforcement and Australia's intelligence services.

It's a problem being tackled by governments around the world and, according to Cyber Security Minister Angus Taylor, all eyes will be on Australia as a test case with what he says will be “the most comprehensive” legislation to date.

That might be quite a call.

In 2016 the UK introduced its updated Investigatory Powers Act, which gave such sweeping and unregulated powers to pry into communications and personal data that China cited the Act in defence of its own anti-terrorism legislation -- which is perhaps not quite the ringing endorsement a democratic government might want.

Indeed, the European Union's Court of Justice later ruled against the Act, stating that the “general and indiscriminate retention of personal communications data by police and security services cannot be considered justified within a democratic society.”

The UK was given until November this year to tone down the laws, with suggested changes including the establishment of an independent oversight authority, restricting request for warrants to ‘serious crime' with long punishable prison sentences, and removing multiple use cases which included health, tax and financial data.

This is important because, for better or for worse, the government has indicated that the UK Investigatory Powers Act will be a model for our own legislation.

When announced last year, Attorney General George Brandis said the laws will “impose an obligation upon device manufacturers and upon service providers to provide appropriate assistance to intelligence and law enforcement on a warranted basis.”

Quite what this will look like isn't clear, but the inclusion of device manufacturers is telling.

While the government could compel telecommunications operators like Telstra and Optus along with the nation's ISPs to provide decrypted communications -- where they hold the encryption keys -- the same is not true where keys are stored on a device.

This is true for encrypted end-to-end communication apps like Signal and WhatsApp, preventing anyone from snooping on communications, including intelligence agencies.

It’s also true of personal data stored on a device, such as messages and photos, which modern smartphones encrypt by default.

This is not an easy problem to solve.

One potential solution raised in similar debates in Europe is the covert installation of spyware, enabled by a telco or device manufacturer, providing a back-door into a device to read unencrypted data and monitor communications.

In the US, proposed solutions for accessing data on phones include a master decryption key stored on the phone, itself encrypted by a key only the manufacturer like Apple or Samsung holds.

This manufacturer key could then be provided on a warrant to decrypt the device.

While it’s clear something needs to change, these solutions and any others that try to bypass device security all have one fundamental flaw: they add a weak link to the security chain.

A back door for the good guys is a back door for the bad guys too, without exception.

Human beings are fallible and corruptible, and the keys to the kingdom will eventually make it out into the wild.

And when they do, all devices – yours, mine and everyone else’s – will be at risk.

When the public consultation begins, take the opportunity to participate.

No one can argue that our intelligence and law-enforcement services shouldn’t have the best tools at their disposal to help catch criminals and terrorists.

But we must also remember that some doors, once open, cannot be closed.